Skip to content

Add extra metadata to the join_token.create audit event (#47766) #6024

Add extra metadata to the join_token.create audit event (#47766)

Add extra metadata to the join_token.create audit event (#47766) #6024

Workflow file for this run

name: Bloat Check
on:
push:
paths:
- '.github/workflows/bloat.yaml'
- '**.go'
- 'go.mod'
- 'go.sum'
- '**.rs'
- 'Cargo.toml'
- 'Cargo.lock'
branches:
- master
- branch/**
jobs:
bloat_check:
name: Bloat Check
runs-on: ubuntu-latest
outputs:
base_stats_file: ${{ steps.build_base.outputs.base_stats_file }}
current_build_dir: ${{ steps.build_branch.outputs.build_dir }}
permissions:
contents: read
container:
image: ghcr.io/gravitational/teleport-buildbox:teleport15
steps:
- name: Checkout base
uses: actions/checkout@v3 # Cannot upgrade to v4 while this runs in centos:7 due to nodejs GLIBC incompatibility
with:
ref: ${{ github.event.before }}
- name: Prepare workspace
uses: ./.github/actions/prepare-workspace
- name: Checkout shared-workflow
uses: actions/checkout@v3 # Cannot upgrade to v4 while this runs in centos:7 due to nodejs GLIBC incompatibility
with:
repository: gravitational/shared-workflows
path: .github/shared-workflows
ref: main
- name: Setup base cache
uses: actions/cache/restore@v3
id: cache-build-restore
with:
path: |
~/teleport_base_build_stats
key: ${{ github.job }}-${{ runner.os }}-${{ github.event.before }}
- name: Generate GitHub Token
id: generate_token
uses: actions/[email protected] # Cannot upgrade past v1.1 while this runs in centos:7 due to nodejs GLIBC incompatibility
with:
app_id: ${{ secrets.REVIEWERS_APP_ID }}
private_key: ${{ secrets.REVIEWERS_PRIVATE_KEY }}
- if: ${{ steps.cache-build-restore.outputs.cache-hit != 'true' }}
name: Build base
id: build_base
run: |
make WEBASSETS_SKIP_BUILD=1 BUILDDIR=base_build binaries
cd .github/shared-workflows/bot && go run main.go -workflow=binary-sizes --artifacts="tbot,tctl,teleport,tsh" --builddir="../../../base_build" -token="${{ steps.generate_token.outputs.token }}" -reviewers="${{ secrets.reviewers }}" >> ~/teleport_base_build_stats
echo "base_stats_file=~/teleport_base_build_stats" >> $GITHUB_OUTPUT
echo "base_stats=$(cat ~/teleport_base_build_stats)" >> $GITHUB_ENV
- if: ${{ steps.cache-build-restore.outputs.cache-hit != 'true' }}
name: Save base build
id: base-build-save
uses: actions/cache/save@v3
with:
path: |
${{ steps.build_base.outputs.base_stats_file }}
key: ${{ github.job }}-${{ runner.os }}-${{ github.event.before }}
- if: ${{ steps.cache-build-restore.outputs.cache-hit == 'true' }}
name: Restore base stats
id: restore-base-stats
run: |
echo "base_stats=$(cat ~/teleport_base_build_stats)" >> $GITHUB_ENV
- name: Checkout branch
uses: actions/checkout@v3 # Cannot upgrade to v4 while this runs in centos:7 due to nodejs GLIBC incompatibility
with:
clean: false
ref: ${{ github.event.after }}
- name: Checkout shared-workflow
uses: actions/checkout@v3 # Cannot upgrade to v4 while this runs in centos:7 due to nodejs GLIBC incompatibility
with:
repository: gravitational/shared-workflows
path: .github/shared-workflows
ref: main
- name: Build Binaries
id: build_branch
run: |
BUILD_SECRET=FAKE_SECRET make WEBASSETS_SKIP_BUILD=1 binaries
- name: Check for Environment Leak
id: check_branch_env_leak
run: |
for binary in $(pwd)/build/*; do \
if strings $binary | grep -q 'FAKE_SECRET'; then \
echo "Error: $binary contains FAKE_SECRET"; \
exit 1; \
fi; \
done
- name: Check for bloat
id: check_branch_bloat
run: |
current=$(pwd)/build
cd .github/shared-workflows/bot && go run main.go -workflow=bloat --artifacts="tbot,tctl,teleport,tsh" --base="${base_stats}" --builddir="${current}" -token="${{ steps.generate_token.outputs.token }}" -reviewers="${{ secrets.reviewers }}" > $GITHUB_STEP_SUMMARY